Developer Dan Robinson announced today, May 1, a proposal called PACT (Verifiable Address Control Timestamp), which aims to protect Bitcoin (BTC) holders with addresses that are vulnerable to quantum computing without currently having to perform any visible operations on the network.
Mr. Robinson said that the user Do not engage in chain transactionsthere is no transfer of funds or disclosure of your identity or balance. The owner acts privately, outside the network, and does not act on anyone (nor other users or potential attackers). I see that you took some action.explains the developer.
In the context of the quantum controversy in Bitcoin, the alternative is to force holders to move publicly or risk losing their funds in a theoretical quantum attack. Its private character is the core of the proposal.
The problem that PACT seeks to solve stems from a specific vulnerability. Some Bitcoin addresses have their public keys published on-chain, such as the old Payment to Public Key (P2PK) format. This means that a sufficiently powerful quantum computer could derive your private key and steal your funds.
One of the most discussed responses in the community, and mentioned by Robinson, is to freeze these addresses through a protocol update (BIP-361), forcing holders to move their funds by a certain deadline or leave their funds in the vulnerable address. This solution has a high privacy cost, but Because the movement of Bitcoin is a public and traceable act.
The most emblematic case is Addresses presumed to be related to Satoshi Nakamotoapproximately 1.1 million BTC (currently over 85 billion USD) has been accumulated in the old format with public keys. If the protocol freezes these addresses without a redress mechanism, those funds will become permanently inaccessible. If you don’t freeze it, you’re at risk of quantum theft.
How does PACT work?
PACT introduces a mechanism that can be divided into two points in time. One currently without any cost or on-chain action, and the other in the future if Bitcoin decides to freeze vulnerable addresses.
At the first moment, the owner generates a digital signature proving control of his address and combines it with a secret random number called “sal” (which acts as an additional key known only to him) to generate an encrypted commitment that does not reveal any of those elements. That commitment Stamps on the Bitcoin chain using OpenTimestampsa free, open-source service that logs all the data on your network without revealing its contents.
The result is a verifiable timestamp that proves ownership. knew the private key before a certain datedoes not say what that key is or what address it corresponds to.
In the next moment, if a vulnerable address is frozen in Bitcoin, the owner will have to prove to the protocol that they were already in possession of that key before the quantum hazard existed. Therefore, PACT We will suggest ways to rescue BTC that may have been frozen.
To achieve this, Robinson proposes that Bitcoin accept a type of cryptographic proof called a STARK proof: A cryptographic mechanism based on a zero-knowledge (ZK) scheme that allows you to prove that something is true without revealing any supporting information.
In this case, the owner uses the timestamp created in the first step as an anchor to prove that he knew his private key before the deadline set by the protocol. Bitcoin will mathematically verify its proof and enable spendingEven if the address had been frozen for other claimants, including a potential quantum attacker who derived the same key, Robinson argues.
According to Robinson, the limitations of PACT
Robinson is clear about the limitations of PACT.
- The first one is political: This proposal does not resolve whether Bitcoin should freeze vulnerable addresses. That decision remains the domain of the community, and there is no consensus about it.
- The second limitation is implementation. For the remedy proposed in the second step above to work, Bitcoin would need to build into its protocol the ability to directly verify STARK proofs, a significant technical change that the community has not yet begun to formally discuss. Without this update, timestamps created today will have no real effect. Currently, licensees who use PACT to write tests have no guarantee that this rescue will be implemented. “Licensees should not rely solely on PACT to protect themselves until rescue protocols are adopted,” Robinson cautions.
- The third is the scope. While PACT works for single-key wallets, multi-signature wallets, complex contracts, and custodial wallets require additional standardization that does not yet exist.
Still, Robinson argues that the cost of creating a test using PACT is so low that it’s worth doing anyway. “If there is a way to plant seeds now that will give us an advantage over crypto attackers in the future, long-term holders should embrace it.” The prerequisite is that the community agrees on a standard format for the protocol as soon as possible, giving owners as much time as possible before making decisions regarding address freezing.
